Security researchers have revealed a large-scale supply chain breach in the npm ecosystem this week.
The campaign, discovered by Arctic Wolf, used a wormable malware strain that infiltrated more than 180 packages, including popular libraries like @ctrl/tinycolor.
The first compromised package, rxnt-authentication, was updated on September 14 — just before researchers traced further infections.
This marks one of the first documented self-replicating malware attacks within npm, raising alarms about the fragility of open-source supply chains.
How the malware works
The malicious code executed a multi-phase attack aimed at credential theft, data exfiltration, and automated replication across the npm registry:
- Credential harvesting: Scanned infected systems and CI/CD environments for secrets such as API tokens, cloud keys, and environment variables, using tools like TruffleHog.
- Data exfiltration: Dumped stolen secrets and host metadata into public GitHub repositories (for example, Shai-Hulud) for attacker retrieval.
- GitHub Actions abuse: Deployed a malicious workflow (.github/workflows/shai-hulud-workflow\.yml) to siphon repository secrets and forward them to attacker-controlled webhooks.
- Self-replication: Used stolen npm auth tokens to re-publish additional compromised packages, embedding the malware for further spread.
- Repository manipulation: Made private repos public or injected new branches and workflows, widening the infection across development environments.
Broader supply chain risks
This campaign follows other high-profile npm breaches, including attacks on cryptocurrency packages and developer frameworks.
With npm being the world’s largest JavaScript package registry, it remains a prime target for adversaries.
Mitigation and defensive measures
While this development is alarming, there are defensive steps you can take:
- Audit GitHub and npm accounts: Check for unauthorized repositories, branches, or packages — especially those linked to Shai-Hulud.
- Remove compromised packages: Immediately uninstall affected packages and clear local npm caches before reinstalling dependencies.
- Rotate secrets: Assume all credentials exposed in development pipelines are compromised — rotate API keys, cloud tokens, SSH keys, and GitHub secrets.
- Monitor outbound traffic: Block or closely monitor outbound calls to webhook\[.]site, which the malware used to validate infections.
Takeaway
The npm incident underscores the growing sophistication of malware targeting open-source ecosystems.
By combining credential theft, data exfiltration, and worm-like self-replication, attackers exploited the decentralized nature of package management at scale.
Continuous auditing, proactive secret rotation, and vigilant monitoring are essential to defending against supply chain compromises.